Home / malwarePDF  

Ransom:Win32/Reveton.gen!C


First posted on 23 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Reveton.gen!C.

Explanation :

Threat behavior

Installation

When it runs, it creates a shortcut file in the , so that it automatically runs every time Windows starts. This shortcut file has the following naming format:

.lnk - might be detected as Trojan:Win32/Reveton!lnk

For example, if the Reveton.gen!C file name is filename.dll, then the shortcut file is named emanelif.lnk.

If, for some reason, it can't create this shortcut file, it instead drops a batch file in the same folder using this naming format:

.bat

It also makes changes your system registry so that it loads with the legitimate Windows process svchost.exe:

In subkey: HKLM\SYSTEM\ControlSet001\services\Winmgmt\Parameters\
Sets value: "ServiceDll"
With data: "" on 32-bit PCs and "" on 64-bit PCs

It might also inject itself into these legitimate Windows processes to hide its actions:

  • explorer.exe
  • taskmgr.exe - hooks the function ZwQuerySystemInformation in ntdll.dll to hide its processes
  • regedit.exe - hooks the function RegQueryValueExW in advapi32.dll to hide its registry keys
  • iexplore.exe


As part of its installation process, it also creates these files:

  • \.jss or .cpp or .dss - might also be detected as Reveton.gen!C
  • .reg - might be detected as Trojan:WinREG/Reveton.E
  • .bxx or .fee or .dat or .pad - might be detected as Trojan:Win32/Reveton.V


On a 64-bit operating system, it might also create this file:

  • .pzz or .pss - might be detected as Trojan:Win64/Reveton


Payload

Prevents you from accessing your desktop

Reveton.gen!C displays a full-screen window that covers all other windows, preventing you from accessing your desktop. The image is a fake warning pretending to be from a legitimate institution, and demands that you pay a ransom for to regain control of your desktop.

Paying the ransom does not necessarily return your PC to a usable state, so this is not advisable.

The images might look like these:







Downloads and runs other malware

Reveton.gen!C can download and run another malware, detected as PWS:Win32/Reveton.B, into your PC. This malware can steal your user names and passwords for sensitive accounts, like banking websites.

Connects to servers

Reveton.gen!C might connect to these IP addresses to download the other malware components and to upload information gathered by these malware components:

  • 37.139.53.204
  • 37.139.53.244
  • 46.165.220.180
  • 62.212.82.37
  • 199.115.114.209
  • 199.189.105.124
  • 204.45.15.202


Disables Windows components

Reveton.gen!C stops the Windows firewall. It also stops you from running Task Manager if your screen is locked.



Analysis by Stefan Sellmer

Symptoms

The following could indicate that you have this threat on your PC:

  • You can't access your desktop and instead see images similar to these:








Last update 23 May 2014

 

TOP

Malware :

Family: